Apple Opposes UK Surveillance Bill Over Encryption Concerns

Apple has submitted a formal statement to the bill committee working on a new complex and controversial surveillance law in the U.K., The Guardian reports. The submission was just released, and Apple is staying on course when it comes to privacy, saying that government backdoors could be used by anyone and weaken the security of hundreds of millions of devices.

“We believe it would be wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat,” the company wrote. “In this rapidly evolving cyber-threat environment, companies should remain free to implement strong encryption to protect customers”

As a reminder, the U.K. government is accused of fast-tracking the bill and wants to avoid opposition as much as possible. The Investigatory Powers Bill seeks to protect mass surveillance powers as DIRPA legislation will expire at the end of the year. But it also goes a bit further by making ISPs keep records of all their users’ Internet activity for 12 months for instance.

And then, there’s the encryption debate. There are two stances on this issue. The Government has been saying that the new piece of legislation merely incorporates previous powers from the previous piece of legislation. But privacy advocates and technology companies are saying that the language used greatly widened the scope of the bill.

In particular, Apple doesn’t want to alter the iMessage protocol. Currently, when you send an iMessage, everything is encrypted and Apple can’t even see the content of your messages because it doesn’t have the keys to decrypt them. But if a government forces Apple to change its protocol to provide a backdoor, it would make these messages accessible to potential hackers.

“The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers,” Apple wrote. “A key left under the doormat would not just be there for the good guys. The bad guys would find it too.”

Apple is also opposing another section of the draft bill. With the new bill, the security services can hack into computers and phones, and companies will have to help the Government. The last time something like this happened, it didn’t end well for the tech companies involved in the Snowden disclosures.

“Those businesses affected will have to cope with a set of overlapping foreign and domestic laws. When these laws inevitably conflict, the businesses will be left having to arbitrate between them, knowing that in doing so they might risk sanctions,” Apple wrote. “That is an unreasonable position to be placed in.”

Here’s the full statement:

The bill threatens to hurt law-abiding citizens in its effort to combat the few bad actors who have a variety of ways to carry out their attacks. The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers. A key left under the doormat would not just be there for the good guys. The bad guys would find it too.

Some have asserted that, given the expertise of technology companies, they should be able to construct a system that keeps the data of nearly all users secure but still allows the data of very few users to be read covertly when a proper warrant is served. But the Government does not know in advance which individuals will become targets of investigation, so the encryption system necessarily would need to be compromised for everyone.

The best minds in the world cannot rewrite the laws of mathematics. Any process that weakens the mathematical models that protect user data will by extension weaken the protection. And recent history is littered with cases of attackers successfully implementing exploits that nearly all experts either remained unaware of or viewed as merely theoretical.

The bill would attempt to force non-UK companies to take actions that violate the laws of their home countries. This would immobilise substantial portions of the tech sector and spark serious international conflicts. It would also likely be the catalyst for other countries to enact similar laws, paralysing multinational corporations under the weight of what could be dozens or hundreds of contradictory country-specific laws.

Those businesses affected will have to cope with a set of overlapping foreign and domestic laws. When these laws inevitably conflict, the businesses will be left having to arbitrate between them, knowing that in doing so they might risk sanctions. That is an unreasonable position to be placed in.

If the UK asserts jurisdiction over Irish or American businesses, other states will too. We know that the IP bill process is being watched closely by other countries. For the consumer in, say, Germany, this might represent hacking of their data by an Irish business on behalf of the UK state under a bulk warrant – activity which the provider is not even allowed to confirm or deny. Maintaining trust in such circumstances will be extremely difficult.